What is the best encrypted email provider?

ackzor20 · #1 March 3rd, 2012, 01:38 PM

What is the best encrypted email provider that doesn't give out IP addresses and that doesn't have access to the mail themselves. The only good one I know is countermail but they use java which is bad, right?

woomera · #2 March 3rd, 2012, 02:33 PM

this might help:
http://www.hacker10.com/other-comput...28Hacker+10%29

mirimir · #3 March 3rd, 2012, 04:07 PM

If you're worried about having your IP address revealed, use a good VPN. If it really matters, tunnel the VPN through Tor, and pay for it anonymously. If you want privacy, use Thunderbird with Enigmail. If you want total anonymity and privacy, use remailer chains and alt.anonymous.messages (and be very patient). If you're too lazy for any of that, Countermail is your best bet. But don't use that browser with Java for other web access.

ackzor20 · #4 March 3rd, 2012, 04:29 PM

Well, a VPN will give out any information to any authority if asked, right? And you never know if they keep loggs.

The problem with countermail is that you need java to create an account and to keep paying the subscriptions.. and to make some other configurations, right? Isn't there a better alternative to Countermail?

If not, I pressume countermail routet through TOR with Thunderbird is the best option?

Countermail · #5 March 4th, 2012, 05:46 AM

I wrote a post earlier about Java, and also TOR:
http://www.wilderssecurity.com/showp...8&postcount=90

In my opinion you will decrease the security by using TOR with our service, and we don't log IP-addresses anyway.

I hope you don't think that we put a backdoor or anything dangerous in our applet? If we did, our business would be ruined, and years of work would be wasted. As long as the applet is signed by our company, Intergrid AB, the risk for malware is almost non-existent.

But as I wrote before, you can also use a virtual OS where you run the Java-enabled browser, like Virtualbox, or a from Live-CD etc.
Edit: It might be worth mentioning that Windows 7 (Pro/Ultimate/Ent) have a free Virtual Windows PC (XP), which works fine: http://www.microsoft.com/windows/vir.../download.aspx

ackzor20 · #6 March 4th, 2012, 06:00 AM

But if the police asks you, you have to cooperate with getting the IP don't you? Isn't that exactly what happend with Husmail? How can a user know that you don't start logging IPs all of a sudden? Out of curiosity, what would happen if the police asked you to start cooperating with them? Has no agency ever in the history of your company ever asked you to give out information or cooperate? What was your response?

Oh and as a side-question, do you store creditcard information or liberty reserve account information?

Countermail · #7 March 4th, 2012, 07:43 AM

Quote:

Originally Posted by ackzor20

But if the police asks you, you have to cooperate with getting the IP don't you? Isn't that exactly what happend with Husmail? How can a user know that you don't start logging IPs all of a sudden?

We do not have to log IP-adresses in Sweden, see my earlier posts, like this one: http://www.wilderssecurity.com/showp...7&postcount=93

Quote:

Out of curiosity, what would happen if the police asked you to start cooperating with them? Has no agency ever in the history of your company ever asked you to give out information or cooperate? What was your response?

With a service like ours there will always be a risk of some people abusing it. Yes, we've had a few cases when the police asked us about account-info, like IP and password, and we have always responded that we do not store such information, which they have accepted. As long as we follow the law we have nothing to worry about. It's only the email headers that are unencrypted*, in one fraud-case we found an email stored in the Sent-folder, this email was sent to a personal Hotmail address, the police wanted that Hotmail-address. So I suppose the police contacted Microsoft to advance in that case.

Yes, we have to cooperate with the Swedish police, but we can not give them information that we don't store.

*=From,To,Subject,Date. The SMTP/IMAP protocol do not support encrypted email headers, but later this year we are going to create a converter where you can select any email folder and convert it to a pure database version of the folder, then the email headers will also be encrypted. The only disadvantage with this is that the database-folder will only be visible from our webmail interface.

Quote:

Oh and as a side-question, do you store creditcard information or liberty reserve account information?

Yes, we store them for 14 days to be able to follow the law which says that every user have the right to a refund (within 14 days from the purchase). Our cron-script automatically deletes personal info after this period. The payment provider may store info longer, but we don't.

bryanjoe · #8 March 4th, 2012, 09:16 AM

can the swedish authority request providers to start logging?

Countermail · #9 March 4th, 2012, 09:54 AM

Quote:

Originally Posted by bryanjoe

can the swedish authority request providers to start logging?

Not the ordinary police, but the swedish security police (SÄPO) might be able to do that if there is a serious threat to the whole nation. We have not had such a case yet. As far as I know, every country have these exceptions in their laws. I would not recommend using our service if you are planning to detonate a nuclear bomb

PaulyDefran · #10 March 4th, 2012, 10:06 AM

Thanks for the info CM. It's nice to have the vendor answer questions in a direct manner. SMTP Smart Host please

PD

Countermail · #11 March 4th, 2012, 10:19 AM

Quote:

Originally Posted by PaulyDefran

Thanks for the info CM. It's nice to have the vendor answer questions in a direct manner. SMTP Smart Host please

PD

Thanks. Does your ISP have port 25 open? Here in Sweden most ISP:s have closed that port to prevent private spamming SMTP servers.

ackzor20 · #12 March 10th, 2012, 09:35 AM

Quote:

Originally Posted by Countermail

I wrote a post earlier about Java, and also TOR:
http://www.wilderssecurity.com/showp...8&postcount=90

In my opinion you will decrease the security by using TOR with our service, and we don't log IP-addresses anyway.

I hope you don't think that we put a backdoor or anything dangerous in our applet? If we did, our business would be ruined, and years of work would be wasted. As long as the applet is signed by our company, Intergrid AB, the risk for malware is almost non-existent.

But as I wrote before, you can also use a virtual OS where you run the Java-enabled browser, like Virtualbox, or a from Live-CD etc.
Edit: It might be worth mentioning that Windows 7 (Pro/Ultimate/Ent) have a free Virtual Windows PC (XP), which works fine: http://www.microsoft.com/windows/vir.../download.aspx

So if I use something like TOR Box I can use your services with the Java Enabled Browser without revealing my IP? Would you say that is better than using a client like Thunderbird through TOR?

Also, is SSL safe enough to use TOR through your service, I might of missunderstood, but would it be safer to use the USB key because that would make it impossible for MITM attacks?

Less · #13 April 18th, 2012, 07:58 AM

any promo for countermail?

Countermail · #14 April 24th, 2012, 11:24 AM

Quote:

Originally Posted by ackzor20

So if I use something like TOR Box I can use your services with the Java Enabled Browser without revealing my IP? Would you say that is better than using a client like Thunderbird through TOR?

You can use TOR if you have java enabled. But as I wrote earlier, it's even better to not use TOR, since we don't store IP-adresses, by using TOR you are adding an unknown third party. We have had some police requests regarding IP-addresses, but since we don't store IP:s we can't give them any, and they have accepted that. In our country there are no laws requiring us to store IP-adresses or passwords.

When using a third party client like Thunderbird you will only connect to our proxy, your IP will not be forwarded or stored anywhere.

Thunderbird do not have the same protection against SSL-MITM as our Java-applet have. Same with DNS-spoofing, our applet will detect spoofing, a third party client like Thunderbird will not do that.

Quote:

Also, is SSL safe enough to use TOR through your service, I might of missunderstood, but would it be safer to use the USB key because that would make it impossible for MITM attacks?

The USB-keyfile will make your password much stronger by adding 512 random bits. These bits will also be added to the protection of your private PGP-keyring. The USB will also give a really good protection against keyloggers. USB works only with our Java-applet.

SSL gives a decent protection, but it will not give full protection against some advanced organizations or criminals, some examples below:
https://www.eff.org/deeplinks/2010/0...ments-fake-ssl
https://www.eff.org/deeplinks/2011/0...against-google
http://www.theinquirer.net/inquirer/...tar-ssl-attack
http://www.theregister.co.uk/2011/09...ts_paypal_ssl/
http://technet.microsoft.com/en-us/s...letin/ms12-006
http://files.cloudprivacy.net/ssl-mitm.pdf
http://www.wired.com/threatlevel/201...do-compromise/
http://www.wired.com/threatlevel/201...ket-forensics/
http://www.theregister.co.uk/2011/04..._ssl_analysis/
http://www.reuters.com/article/2012/...8110Z820120202

chronomatic · #15 April 24th, 2012, 06:20 PM

Quote:

Originally Posted by Countermail

Thunderbird do not have the same protection against SSL-MITM as our Java-applet have.

It does if you use PGP/GPG directly.

Also, I LOL'ed at your pic of the USB key next to a cigarette on your website. You said "We do not endorse smoking, this is just for comparison purposes."

Couldn't you have found an ink pen or something? LOL

EDIT:

Also I found this incorrect info on your website:

Quote:

Public key algorithms are based on the mathematical concepts of factoring, exponentiation and modulo arithmetic. To increase the computational complexity of the process, large numbers are used. The security (strength) is measured by the binary length of the public key: 384 bits can be broken relatively easily, 512 bits is probably insecure and breakable by major governments, 768 bits is probably relatively safe, 1024 bits should be secure for decades according to today's information. 2048 bits will remain safe for a VERY long time. CounterMail is using the 2048-bit RSA algorithm.

A 512 bit RSA key was brute forced publicly in 1999. A 768 bit key was brute forced publicly in 2009. And 1024 bit keys will not be safe for decades (it wont be long before they are brute forced. NSA likely already does it). NIST has already recommended that 1024 bit keys be dropped by 2010 (2 years ago).

Countermail · #16 April 25th, 2012, 03:32 AM

Quote:

Originally Posted by chronomatic

It does if you use PGP/GPG directly.

Not fully, you will be able to see the sender and the recipient, and the account username. In some cases that could be dangerous info.

Quote:

Also I found this incorrect info on your website:

Thanks, yes, the info on that page was old

Defenestration · #17 May 3rd, 2012, 09:26 PM

Quote:

Originally Posted by Countermail

Thunderbird do not have the same protection against SSL-MITM as our Java-applet have. Same with DNS-spoofing, our applet will detect spoofing, a third party client like Thunderbird will not do that.

According to the description/picture on your website here, only the mail body is encrypted with the recipients public key by the CounterMail engine, before being sent over SSL. How is this more secure than Thunderbird (From, To, Subject still remain visible to SSL-MITM) ?

To be more secure, the CounterMail engine should still encrypt the body with the recipients public key first, but then encrypt everything (including all headers) with the public key of the CounterMail server.

If this is how it already works, the description on the web page needs updating to reflect this.

xM5 · #18 May 27th, 2012, 12:05 PM

Quote:

Originally Posted by mirimir

Countermail is your best bet. But don't use that browser with Java for other web access.

por que? what do you mean by this? so if I use firefox and countermail, don't use firefox to browse the web also?

mirimir · #19 May 27th, 2012, 02:50 PM

Quote:

Originally Posted by xM5

por que? what do you mean by this? so if I use firefox and countermail, don't use firefox to browse the web also?

Java in Firefox is dangerous, because of its capabilities.

xM5 · #20 May 29th, 2012, 09:23 AM

any comment on the below, it is from 2010..

As far as Relakks and Ipredator are concerned since they are in Sweden I don't know if this is still a problem for using a Swedish service;

In June the Swedish parliament passed a controversial surveillance law that gives authorities a mandate to read all email and listen in on all phone calls without warrant or court order. In response to the law, The Pirate Party organized rallies, bloggers and journalists turned into activists, and even Google decided to relocate their servers.

http://torrentfreak.com/swedes-massi...ap-law-080707/

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search